Description
In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
Third Party Advisory x_refsource_misc
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
Scores
CVSS v3
4.3
EPSS
0.0015
EPSS Percentile
35.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (2)
bottelet/flarepoint
2.0.0 - 2.2.1Packagist
daybydaycrm/daybyday_crm
2.0.0 - 2.2.0
Published
Jan 05, 2022
Tracked Since
Feb 18, 2026